BlackBerry releases August 2017 Android Security Update for BlackBerry Android devices

Rapid John
Posted on August 14, 2017, 6:41 pm
13 mins

BlackBerry has today rolled out the August 2017 Android Security update to BlackBerry Android devices.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.

The following vulnerabilities have been remediated in this update:

Summary Description CVE
Elevation of Privilege in WiFi In the Wi-Fi service, a copy into a stack structure is not checked for length before the operation is performed. CVE-2017-0712
Remote Code Execution in Sfntly In the sfntly library used by libskia, a malformed font file could achieve privilege escalation due to an out-of-bounds read and probable write. CVE-2017-0713
Remote Code Execution in Mediaserver There is a missing bounds check in the GetMBHeader() function of the h263 decoder, that could lead to a heap memory overflow. Exploitation of this by a malicious MP4 file could lead to memory corruption and code execution in a privileged process. CVE-2017-0714
Remote Code Execution in Mediaserver In decoder/ih264d_utils.c in ih264d_allocate_dynamic_bufs (of libavc), there is an out-of-bounds write issue, which could lead to remote arbitrary code execution. CVE-2017-0715
Remote Code Execution in Mediaserver In decoder/impeg2d_vld.c in impeg2d_vld_decode (of libmpeg2), a missing bounds check can cause a head buffer overflow that could lead to remote arbitrary code execution in privileged process. CVE-2017-0716
Remote Code Execution in Mediaserver In the mpeg2 decoder, reading a different vertical slice than the one at the current decode position could result in an invalid calculation of the amount of data remaining. CVE-2017-0718
Remote Code Execution in Mediaserver In the mpeg2 decoder, an invalid picture structure could cause an out-of-bounds write, which could lead to memory corruption and code execution in a privileged process. CVE-2017-0719
Remote Code Execution in Mediaserver In decoder/ihevcd_parse_slice.c (of libhevc) a potential memory corruption could occur leading to remote arbitrary code execution. CVE-2017-0720
Remote Code Execution in Mediaserver In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value of u2_width or u2_height. Parsing a malicious media file could lead to a clip dimension change which could lead to an out-of-bounds write leading to a remote arbitrary code execution. CVE-2017-0721
Remote Code Execution in Mediaserver In the h263 decoder, a malformed mpeg4 file could lead to an out-of-bounds write in a privileged process due to a size mismatch between the frame header and the frame body. CVE-2017-0722
Remote Code Execution in Mediaserver In decoder/ih264d_format_conv.c in ih264d_fmt_conv_420sp_to_420sp (of libavc), a heap buffer overflow could occur due to an unchecked num_rows in the memcpy, which could lead to remote arbitrary code execution in privileged process. CVE-2017-0723
Remote Code Execution in Mediaserver In m4v_h263/dec/src/vop.cpp in DecodeShortHeader (of libstagefright), there is no check that the height and width are less than the total video size. CVE-2017-0745
Denial of Service in Mediaserver In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value of u2_width or u2_height. CVE-2017-0724
Denial of Service in Mediaserver In libstagefright/MPEG4Extractor.cpp in MPEG4Extractor::parseMetaData (of libstagefright) a memory leak could lead to resouRemote Code Execution exhaustion which could lead to a remote temporary denial of service. CVE-2017-0726
Denial of Service in Mediaserver In the hevc software decoder, a malformed mpeg4 file could result in a null pointer dereference. CVE-2017-0728
Elevation of Privilege in MediaDrmServer There is a possible integer overflow in the clearkey plugin for the MediaDrmServer process. CVE-2017-0729
Denial of Service in Mediaserver In the h264 decoder, a malformed mpeg4 file could cause a crash. CVE-2017-0730
Elevation of Privilege in Mediaserver In the mpeg4 encoder, an app could set a zero width or height parameter causing a bad allocation, but change the width or height later. When the encoder is cleaned up, the wrong address is freed, which could to memory corruption and code execution. CVE-2017-0731
Elevation of Privilege in Mediaserver There is a vulnerability in mediaserver where an application could cause a hang in a mediaserver thread creating a graphics buffer. Another thread attempting to use that buffer could cause the reference count to be decremented and the buffer freed. When the creating thread resumes, it uses the buffer that has already been freed, which could lead to memory corruption and code execution. CVE-2017-0732
Denial of Service in Mediaserver In NuPlayerDecoder (of libmediaplayerservice), when processing bad input data, a CHECK abort could lead to a remote temporary denial of service. CVE-2017-0733
Denial of Service in Mediaserver In decoder/ih264d_dpb_mgr.c in ih264d_delete_st_node_or_make_lt (of libavc), a null pointer dereference could lead to a remote temporary denial of service. CVE-2017-0734
Denial of Service in Mediaserver In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc) a crafted media could cause an infinite loop due to improper input validation when changing resolutions which could lead to a remote temporary denial of service. CVE-2017-0735
Denial of Service in Mediaserver In decoder/ih264d_parse_headers.c in ih264d_parse_nal_unit (of libavc) a crafted media could lead to an infinite loop due to missing input validation which could lead to a remote temporary denial of service. CVE-2017-0736
Denial of Service in Mediaserver In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc), improper input validation could lead to remote temporary denial of service when the media stream changes resolution. CVE-2017-0687
Elevation of Privilege in Mediaserver In libgui.so, a missing bounds check could lead to an arbitrary write in a privileged process which could lead to an elevation of privilege. CVE-2017-0737
Information Disclosure in Mediaserver Inside audioserver the parameters of equalizer Effect_command is not properly checked and could cause an out-of-bounds read leading to information disclosure. CVE-2017-0738
Information Disclosure in Mediaserver In decoder/ihevcd_nal.c in ihevcd_nal_remv_emuln_bytes (of libhevc), an out-of-bounds read could lead to information disclosure. CVE-2017-0739
Remote Code Execution in Broadcom WiFi After the patch for CVE-2016-0802 (ANDROID-25306181), if a device had updated the kernel but not the bcm4354 firmware, there were still possible out-of-bounds memory writes if the chip sent a ETHER_TYPE_BRCM packet to the host with a malformed length. CVE-2017-0740
Elevation of Privilege in Kernel File System Unvalidated input parameters In the F2FS module could allow for kernel memory corruption, which could result in arbitrary code execution in the TCB. CVE-2017-0750
Elevation of Privilege in Kernel In msm/kernel/trace/trace.c, there is insufficient locking when accessing savedcmd that could result in a use after free, leading to escalation of privilege. CVE-2017-0749
Elevation of Privilege in Qualcomm IPA Driver An integer overflow in the reference counter variables in the ipa driver could cause a potential use after free leading to elevation of privilege. CVE-2017-0746
Elevation of Privilege Elevation of Privilege in Qualcomm Component The qseecomd process has CAP_SYS_ADMIN and CAP_NET_RAW capabilities which are not necessary. CVE-2017-0747
Elevation of Privilege Elevation of Privilege in Qualcomm Video Driver In the /dev/graphics/fb0 driver when running a 32-bit kernel, there is an out-of-bounds write that could lead to escalation of privilege. CVE-2017-9678
Elevation of Privilege Elevation of Privilege in Qualcomm MobiCore Driver Reading from /sys/kernel/debug/trustonic_tee/info, on devices where it exists, could lead to an escalation of privilege, due to insufficient locking. CVE-2017-9691
Elevation of Privilege in Qualcomm USB Driver In rndis_qc_bind_config_vendor and related functions, access to the _rndis_qc variable is not protected by a lock. There is a possible use after free vulnerability that could lead to escalation of privilege. CVE-2017-9684
Information Disclosure in Qualcomm GPU Driver There is an improper locking causing use after free issue in kgsl device which could lead to information disclosure. CVE-2017-9682
Information Disclosure in Qualcomm SoC Driver In the qbt1000 driver, a user space string is copied into local buffer without ensuring that it is properly NULL terminated. CVE-2017-9679
Information Disclosure in Qualcomm SoC Driver Uninitialized variables in the qbt1000 driver could lead to information disclosure. CVE-2017-9680
Information Disclosure in Qualcomm Audio Driver In the audio driver, a missing return value check together with an uninitialized local variable could lead to information disclosure. CVE-2017-0748
Information Disclosure in Qualcomm Radio Driver The function iris_vidioc_s_ext_ctrls directly dereferences a user-passed pointer as a string, which could lead to information disclosure. CVE-2017-9681
Information Disclosure in Qualcomm Networking Driver In __wlan_hdd_change_station, the length of params->ext_capab has insufficient checks, which could lead to information disclosure due to an out-of-bounds read. CVE-2017-9693
Information Disclosure in Qualcomm Networking Driver In __wlan_hdd_cfg80211_extscan_set_bssid_hotlist, the policy used to enfoRemote Code Execution the size of the attributes for nla_parse does not include an entry for QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE, which could lead to a possible out-of-bounds read and information disclosure. CVE-2017-9694
Elevation of Privilege in Qualcomm QCE Driver Multiple IOCTLs within the QCE driver use a non-validated field provided by the user. CVE-2017-0751

If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level August 5, 2017 or later.

Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.

Rapid John
Rapid John has a quarter of a century in programming for Government and Corporate bodies and is proficient in most major programming languages.  He is constantly running around showing us his latest bit of code and telling us how fantastic it is. (John we know). He is responsible for carrying out presentations to corporate and business customers and is a BlackBerry Elite.

Leave a Reply

You must be logged in to post a comment.